DNA testing company, 23andMe's October 2023 data breach will now reportedly be investigated by the Office of the Privacy Commissioner of Canada (OPC) and the United Kingdom's Information Commissioner's Office (ICO).
23andMe, a genetics firm established in the United States, uses home saliva collection kits to analyze customers' DNA and give insights into aspects such as health and heritage.
According to the company's website, more than 12 million DNA testing kits have been sold since 2006. The data protection regulators of the United Kingdom and Canada have stated that they will work together to undertake the probe.
It will investigate the breadth of the information compromised by the incident, as well as the possible impact on those affected.
The effectiveness of 23andMe's protections to secure the information under its control will also be evaluated, as will whether the business gave proper notification of the breach to the two regulators and impacted individuals.
In a statement, 23andMe stated that they aim to comply with the regulators' reasonable requirements on the credential stuffing threat identified in October 2023.
23andMe Data Breach
The October 2023 data breach saw millions of users' information exposed on the dark web, sparking outrage among customers who entrusted their data to the company.
Even more worrying, the breach reportedly affected the accounts of notable personalities such as Mark Zuckerberg and Elon Musk.
While 23andMe has validated the legitimacy of the compromised data, it denies any technological hacking. Instead, they claim that client accounts were compromised through credential-stuffing assaults.
23andMe Shifts Blame
In January 2024, the DNA testing company went as far as to blame the victims of the company's recent data breach incident by sending letters indicating that the users were negligent in not updating their passwords following the incidents.
At the time, the corporation was seeking to deny any culpability for the event in which hackers acquired the sensitive data of around 6.9 million individuals, including genetic and health information.
Following the data breach, a separate investigation claims that thieves leaked around one million data points associated with Ashkenazi Jewish individuals, as well as equivalent data associated with over 300,000 Chinese users.
According to various estimates, the data breach has resulted in the circulation of up to 7 million 23andMe accounts, which may be available for purchase on the dark web.
Following the incident, 23andMe allegedly enhanced its security procedures by demanding the use of two-factor authentication for all new and existing users; 23andMe also updated users' security measures by requiring all consumers to reset their passwords.
At the start of the data breach, hackers could only access roughly 14,000 user accounts. However, by brute-forcing passwords believed to be associated with the desired clients, the hackers got access to this initial set of victims.
Related Article: Ransomware Attack on Frontier Exposes Personal Data of 750,000 Customers Across 25 States